How to Configure the Logstash Date filter

Even though Logstash is great for parsing events as they happen, you can also use it to process historical data. Normally logstash will timestamp an event with the time when the event was initially processed. This isn’t ideal when you’re trying to analyze historic data. Logstash provides the Logstash Date filter to aid in the parsing and setting of dates and timestamps.

Quick Info

The short version

The date filter parses dates using formats as defined by the Joda Time library. All you need to do is specify the field and the format it conforms to, and Logstash will timestamp the event according to the contents of the field. If the field isn’t present or not populated, it won’t update the event.

Month and weekday names might be in a different locale. Use the locale setting to ensure that they are parsed correctly. The setting should be in the format lang_country_variant, such as eng_US_POSIX. The country and variant parts are optional, so you can get away with just setting it to eng.